Privacy Notice

Echos Consultancy Ltd (“Echos Consultancy”, “we”, “us”, “our”) is fully committed to protecting and respecting the personal data in our care.

This Privacy Notice (“Notice”) explains why and how we collect and use personal data, and outlines the rights of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (“the Act”).

Under the UK GDPR, personal data refers to any information relating to an identified or identifiable individual (“data subject”), such as a name, identification number, contact details, location data, or one or more factors specific to that person’s identity.

We may use personal data provided to us for any of the purposes described in this Notice, or for purposes clearly stated at the point of collection.

From time to time, certain services may be delivered by companies affiliated with or engaged by Echos Consultancy Ltd.

Accordingly, this Privacy Notice describes how and why we collect and process personal data, both directly from individuals and indirectly when acting on behalf of others.

Data Controller and Contact Information

The data controller is Echos Consultancy Ltd, unless otherwise specified in relation to particular processing activities.

In certain cases, we may act as a data processor—that is, processing personal data on behalf of another organisation (the controller) and under its instructions.

If you have any questions about this Notice or about how and why we process personal data, you can contact us at: info@echosconsultancy.com

We also collect certain information automatically when you visit our website, such as your IP address, browser type, pages visited, and usage data (including cookies and similar technologies).

Personal Data We Collect

We may collect, store and use the following categories of personal data about you, depending on our relationship with you and the services we provide:

Identity & Contact Information: Full name, title, date of birth, gender, marital status, business and home address, email address, telephone numbers, and other contact information.

 

Business / Professional Information: Job title, employer, business address, professional background, qualifications, organisation structure, role within an organisation.

Contractual, Service & Transactional Data: Details of consultancy engagements, contracts, correspondence, project deliverables, reports, feedback, and any data you supply to us in relation to services.

Financial & Payment Data:Bank account details, invoicing and billing information, payment history, tax identifiers, and other financial / accounting data.

Compliance, Verification & Identity Check Data: Identification documents (passport, driving licence, national ID), proof of address, declarations, conflict-of-interest information, compliance documentation (e.g. KYC, AML).

Recruitment & HR-related Data: Where applicable, your CV, educational history, employment references, screening records, interview notes.

Supplier & Partner Data: Personal data relating to individuals connected with our suppliers, subcontractors or partners (e.g. names, contact details, roles, service delivery information).

Technical & Website / Platform Usage Data: IP address, browser type and version, device identifiers, time zone settings, referral URLs, pages visited, links clicked, session durations, usage logs, cookies and similar tracking technologies.

Special Category Data (where applicable & with proper legal basis):  In limited situations, and only if necessary, we may collect and process special categories of personal data such as medical information or criminal records. Any such processing will only occur where it is lawful and necessary, under the safeguards set out in Article 9 and Article 10 of the UK GDPR and the Data Protection Act 2018, and where an appropriate legal basis (such as explicit consent or substantial public interest) applies.

Data We Hold

The type and amount of personal data we hold about you depends on the nature of your relationship with Echos Consultancy Ltd and the services we provide. We ensure that all personal data is relevant, limited to what is necessary, and securely retained in accordance with our internal data protection and retention policies.

We may hold personal data in the following contexts:

• Clients and Service Recipients:
  Information necessary to provide consultancy and related professional services, including contact details, correspondence, contractual and project documentation, billing and payment records, and compliance or verification data (such as AML/KYC checks).
• Prospective Clients and Business Contacts:
  Details collected through business development activities, such as enquiries, proposals, quotations, communication history, and marketing or event participation preferences.
• Suppliers, Partners, and Subcontractors:
  Contact and service-related information for key personnel, along with correspondence, agreements, and payment details, required to manage our professional relationships and service delivery.
• Employees, Contractors, and Job Applicants:
  Recruitment and employment-related data such as CVs, references, right-to-work documentation, qualifications, payroll details, and background-check results where legally required.
• Website Users and Enquirers:
  Contact and communication details submitted through online forms, technical usage data (including IP address, browser type, and site interactions), and any preferences or feedback shared with us. (For further information, please see our [Cookie Notice].)[1]
• Regulatory and Compliance Records:
  Data retained to meet legal and regulatory obligations, including audit trails, consent records, declarations, verification results, and correspondence with regulatory authorities.

In all cases, the data we hold is used only for legitimate business purposes and in line with the lawful bases described in this Notice.

How We Collect Personal Data

We collect personal data from various sources depending on your relationship with Echos Consultancy Ltd. Most information is provided directly by you when you contact us, engage our services, attend events, complete forms, or apply for a role. We may also collect limited technical data automatically through our website and online tools such as your IP address or browser information using cookies and analytics (see our Cookie Notice). In addition, we may receive data from third parties, including clients, business partners, and publicly available sources like Companies House or LinkedIn, as well as information generated during the delivery and management of our services.

Lawful Bases for Processing Personal Data

We process personal data only where permitted by law, in line with the UK GDPR and the Data Protection Act 2018. The main reasons include performing our contractual obligations, complying with legal and regulatory requirements, pursuing our legitimate business interests such as managing and improving our services, and where you have given consent for example, to receive marketing communications. In limited cases, we may also process special category or criminal record data when required by employment law, regulatory duties, or with your explicit consent.

Why We Use Personal Data

We use personal data only for legitimate and proportionate business purposes, and always in compliance with data protection law. The specific reasons for processing depend on your relationship with Echos Consultancy Ltd, but generally include the following:

We process personal data to provide and manage our consultancy and related professional services, including assessing client needs, preparing proposals, delivering projects, and maintaining ongoing relationships. This may involve communicating with clients, partners, or other stakeholders, sharing updates, and ensuring effective coordination throughout each engagement.

We also use personal data for business administration and internal operations, such as accounting, billing, financial reporting, quality assurance, and record-keeping. This helps us operate efficiently, fulfil contractual obligations, and maintain accurate business and compliance records.

In certain cases, we process data to meet our legal and regulatory obligations, including anti money laundering (AML), tax, and employment requirements, or to cooperate with regulators and authorities where necessary. We may also process information to protect our rights, manage potential disputes, or establish, exercise, or defend legal claims.

For individuals who apply for roles or work with us, we process personal data to manage recruitment and engagement activities, including evaluating suitability, verifying qualifications or references, and performing background or compliance checks where legally permitted.

We may also use personal data to improve our services and systems, analyse performance, and ensure information security, confidentiality, and data integrity across our operations.

Where you have given consent, or where we have a legitimate interest to do so, we may use contact details for marketing and communication purposes such as sending newsletters, event invitations, service updates, or relevant insights. You can withdraw your consent or update your communication preferences at any time.

All personal data is processed fairly, lawfully, and transparently, and we do not use it in ways that are incompatible with the original purposes for which it was collected.

Data Sharing and Disclosure

We only share personal data where it is necessary, proportionate, and lawful to do so.

Depending on the nature of the relationship or service, we may share personal data with trusted third parties under strict confidentiality and data protection obligations.

We may share information with:

·      Service providers and professional advisers who support our operations, such as IT and cloud hosting providers, accountants, auditors, legal advisers, and compliance or background-check partners;

·      Business partners and associated entities that collaborate with us to deliver consultancy projects or provide complementary services, where appropriate data-sharing agreements are in place;

·      Regulatory authorities, government bodies, and law enforcement agencies, where disclosure is required by law or to comply with statutory and professional obligations (for example, AML, tax, or reporting requirements);

·      Clients or third parties involved in the delivery of a service, but only where it is relevant and consistent with our engagement terms;

·      Recruitment and screening providers, where personal data is processed for employment or contractor vetting purposes and lawful bases apply.

All third parties receiving data from us are required to handle it securely, use it only for the specified purpose, and comply with applicable data protection law.

We do not sell, rent, or otherwise make personal data commercially available to any unrelated third party.

Where data is transferred outside the United Kingdom or the European Economic Area (EEA), we ensure that adequate safeguards are in place, such as Standard Contractual Clauses or an adequacy decision recognised under UK GDPR to protect your information.

Data Security

We take the protection of personal data very seriously and implement appropriate technical and organisational measures to safeguard it against unauthorised access, loss, misuse, alteration or disclosure.

Our security measures include controlled access to data, secure storage and encryption where appropriate, regular system monitoring, staff training on data protection responsibilities, and policies that ensure confidentiality and integrity of information at all times.

We limit access to personal data to those employees, contractors and third-party service providers who need it to perform their duties, and they are subject to strict confidentiality obligations.

In the event of a data breach that poses a risk to your rights or freedoms, we will take immediate steps to mitigate the impact and will notify the Information Commissioner’s Office (ICO) and affected individuals when required by law.

All systems, tools and cloud platforms used by Echos Consultancy are selected and managed with data security and compliance in mind, following current UK GDPR standards and good industry practice.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, contractual, accounting or reporting requirements.

The specific retention period depends on the type of data and the nature of our relationship with you. For example, client and service records are generally kept for the duration of the engagement and for a defined period afterwards to comply with legal obligations or to protect our legitimate interests in the event of a claim. Recruitment information is retained for a limited time after a position is filled, unless you have given consent for us to keep it longer for future opportunities.

When personal data is no longer required, we will securely delete, anonymise or destroy it in line with our data retention and destruction policies.

If you would like further details on how long we keep particular categories of personal data, you can contact us using the details provided in this Notice.

Your Rights

Under the UK General Data Protection Regulation (UK GDPR), you have a number of rights in relation to your personal data. These rights are designed to give you transparency, control and assurance over how your information is used.

You have the right to:

·      Access the personal data we hold about you and receive a copy of it.

·      Rectify any inaccurate or incomplete information.

·      Erase your data in certain circumstances, for example when it is no longer needed for the purposes it was collected.

·      Restrict or limit the way your data is processed in specific situations.

·      Object to processing where it is based on legitimate interests or for direct marketing purposes.

·      Data portability, meaning to receive your data in a structured, commonly used and machine-readable format, and to request that we transfer it to another controller.

·      Withdraw consent where processing is based on your consent, without affecting the lawfulness of prior processing.

If you wish to exercise any of these rights, please contact us using the details provided in this Notice.

We may need to verify your identity before responding to a request.

We aim to respond to all valid requests within one month, in accordance with legal requirements.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection matters.

Further details can be found at www.ico.org.uk

Contact

If you have any questions about this Privacy Notice or about how Echos Consultancy Ltd handles personal data, please contact us at:

Echos Consultancy Ltd

Third Floor, 23 Bedford Row

London, WC1R 4EB

Email: info@echosconsultancy.com

We will review and respond to all enquiries as promptly as possible and within the timelines required by data protection law.

If you are not satisfied with our response, you can raise a concern with the Information Commissioner’s Office (ICO) at www.ico.org.uk